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INTRODUCTION 

My  name  is  Willis  H.  Ware.  I  am  a  member  of  the  Corporate  Research 
Staff  of  The  Rand  Corporation,  but  the  views  I  state  today  are  solely  my 
own,  they  in  no  way  reflect  a  position  of  The  Rand  Corporation  nor  of 
its  research  clients.  Furthermore ,  my  views  do  not  come  from  a  specific 
contract,  but  rather  reflect  a  decade  of  my  attention  to  the  issue.  I 
am  an  electrical  engineer  by  training,  but  have  specialized  in  the  field 
of  computer  technology  for  over  thirty  years. 

My  credentials  for  addressing  the  issue  include  the.  following.  In 
19o7,  1  was  the  first  to  bring  the  issue  of  computer  security  to  the 
attention  of  the  technical  iie.ld  by  organizing  a  special  session  on  the 
,ubject  at  a  Joint  Computer  Conference  in  the  spring  of  that  year. 
Subsequently,  I  chaired  a  Defense  Science  Board  (Department  of  Defense) 
committee  to  look  at  the  issue  of  computer  security  which  had  never  been 
examined  comprehensively  anywhere  in  government.  The  report  was  a 
definitive  treatment  of  the  subject,  and  to  this  day  remains  in 
excellent  primer.  I  have  furnished  three  copies  of  that  document  to 
this  committee  as  background  information. 

‘Additional  material  on  electronic  mail  was  orally  presented  but 
did  not  appear  in  the  originally  submitted  testimony.  This  version 
includes  the  additional  material  and  has  been  slightly  edited  and 
annotated . 
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Because  of  my  work  in  computer  security,  I  was  asked  in  the  early 
1970s  to  join  a  special  advisory  group  to  the  Secretary  of  HEW,  and  I 
subsequently  became  its  chairman.  Its  report,  Records,  Computers  and 
the  Rights  of  Cit izens ,  was  the  first  comprehensive  treatment  of  the 
matter  at  the  federal  level.  It  provided  the  intellectual  foundation 
for  the  Federal  Privacy  Act  of  1974,  which  among  other  things  created 
the  Privacy  Protection  Study  Commission  of  which  I  was  a  member  and  vice 
chairman. 

In  addition  to  my  participation  in  the  activities  noted  above,  I 
have  also  spoken  and  written  widely  on  the  subject.  In  particular,  I 
presented  a  paper.  Policy  Aspects  of  Privacy  and  Access,  to  a  National 
Science  Foundation  symposium.  Although  the  paper  will  be  published  by 
Crane-Russak  as  a  special  double  issue  of  its  journal  The  Information 
Society,2  I  will  forward  three  copies  of  it  to  the  committee  for 
background  information. 

STATEMENT 

Congressman  Glickman,  it  is  a  pleasure  to  have  been  invited  here 
today  to  talk  with  you  about  a  subject  that  is  of  such  importance,  not 
only  to  me  professionally  but  also  to  the  country.  Since  time  is 
limited  this  morning,  my  presentation  will  be  in  the  nature  of  a 
hopscotch  over  a  variety  of  points  and  ideas  that  I  think  will  be  of 
significance  for  you.  I  will  elaborate  or  expand  in  any  detail  at  your 
request  or  on  another  occasion. 

Let  me  first  clarify  the  relationship  between  security  and  privacy, 
where  I  use  the  latter  term  in  the  context  of  record-keeping  privacy; 
namely,  the  use  of  information  about  people  to  make  decisions  and 
judgments  about  them.  Record-keeping  privacy  concerns  personal 
information  kept  in  computer-based  systems,  and  the  essence  of  it  is 
protecting  such  information  and  controlling  its  use  for  authorized 
purposes.  In  contrast,  computer  security  is  that  body  of  technology, 
techniques,  procedures,  and  practices  that  provides  the  protective 
mechanisms  to  assure  the  safety  of  both  the  computer  systems  themselves 

JIssue  3/4,  Vol.  2  is  in  press.  Anticipated  date  of  publication 
December  1983. 


3 


and  the  information  within  thorn;  and,  in  addition,  limits  access  to  such 
information  solely  to  authorized  users.  Computer  security  is  of 
importance  whether  the  information  to  be  protected  is  personal  in  nature 
and  therefore  relative  to  privacy;  whether  it  is  defense  in  nature  and 
therefore  related  to  the  security  of  the  country;  or  whether  it  is 
sensitive  in  nature  and  therefore  relevant  to  corporate  welfare  in  the 
private  sector.  The  important  point  to  be  noted  is  that  a  comprehensive 
set  of  security  safeguards  within  and  around  a  computer-based 
information  system  is  an  essential  prerequisite  for  assuring  personal 
privacy.  To  operate  such  a  system  without  relevant  safeguards  is  a  sham 
against  privacy  assurance. 

The  computer  security  issue  must  be  seen  as  analogous  to  the 
classical  offense/defense  situation.  As  computer  security  safeguards 
become  stronger,  the  offenses  against  them  will  become  more 
sophisticated  and  the  cycle  will  repeat.  Therefore,  no  organization  or 
Congress  can  assume  that  the  computer  security  issue  is  one  that  can  be 
looked  at  and  forgotten.  It  first  surfaced  on  the  professional  scene 
only  fifteen  years  ago;  we  are  still  low  on  the  learning  curve  with 
regard  to  knowing  how  to  incorporate  comprehensive  protection  mechanisms 
in  our  systems.  It  is  an  evolving  issue,  not  a  static  end-of -the-road 
one  to  be  dismissed.  Therefore,  I  would  recommend  to  you  that: 

It  be  a  standing  agenda  item  for  this  or  other  committees  of 

the  Congress  to  look  at  every  year  or  so  for  at  least  the  next 

five  and  possibly  the  next  ten  years. 

Next,  let  me  contrast  the  security  situation  in  the  defense 
environment  versus  that  in  the  commercial/industrial  world.  Within 
defense  the  threat  against  computer-based  systems  includes  the  full 
technical  resources  of  advanced  major  world  powers,  where  such  threats 
can  be  mounted  with  substantial  funding  and  other  resources.  In  the 
Department  of  Defense  context,  therefore,  the  threat  includes  intense 
technical  aspects  as  well  as  aspects  involving  people  --  such  as  buying 
them  for  subversive  actions.  On  the  other  hand,  the  defense  community 
does  go  through  an  investigative  process  to  grant  formal  clearances  to 
people;  therefore,  it  has  substantial  assurance  of  trustworthiness. 
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In  the  commercial  sector,  on  the  other  hand,  the  technical  threat 
is  at  present  minimal.  The  big  threat  is  people  within  the  systems 
themselves.  If  one  examines,  for  example,  the  Parker/SRI  database  of 
computer- re  la  ted  criminal  actions,  he  find.',  that  the  great  bulk  of  them 
nave  been  perpetrated  by  art  individual  who  was  authorized  to  interact 
with  the  system  and  who  knew  enough  about  it  to  exploit  it  for  personal 
gain.  Furthermore,  there  is  generally  little  attention  paid  in  the 
commercial  world  to  establishing  trustworthiness  of  individuals  in 
critical  and  sensitive  positions  within  a  computer-based  infoimation 
system.  Some  corporations  do  essentially  nothing  by  way  of  assuring  the 
trustworthiness  of  critical  individuals;  others  take  the  minimal  step  of 
requiring  that  individuals  be  bondable  --  a  really  minimum  level  of 
assurance  of  trustworthiness;  and  very  few,  perhaps  none,  engage  in  a 
comprehensive  background  investigation.  When  the  private  sector  gets 
the  "people  problem"  dimension  of  the  threat  against  its  computer 
systems  under  control,  and  the  simple  technical  threats  protected 
against,  then  sophisticated  technical  threats  will  become  more 
important . 

Let  us  examine  the  last  point  more  closely.  What  can  we  do  about 
the  simple  technical  threats,  such  as  those  used  in  the  Milwaukee-414 
caper,  or  those  involved  in  the  various  criminal  acts  of  the  SRI 
database?  The  dominant  point  is:  technology  is  not  the  issue.  There 
are  ample  technological  safeguards  that  can  be  installed,  and  would  be 
effective  against  many  of  the  crimes  that  have  been  perpetrated  and 
against  many  of  the  mischievous  pranks  that  have  occurred.  There,  arc 
also  procedural  and  administrative  safeguards  that  can  he  important 
deterrents.  In  the  private  sector,  we  need  only  the  corporate  will  to 
address  the  problem,  and  the  corporate  commitment  to  put  the  issue  on 
the  same  level  of  concern  as  that  of  protecting  other  valuable 
resources.  By  implication,  we  also  need  the  corporate  commitment  to 
spend  the  modest  sums  needed.  Importantly,  we  need  private  sector  users 
of  computers  to  signal  the  computer  industry  that  technical  safeguards 
are  wanted,  are  essential,  and  will  be  paid  for. 
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Do  not  underestimate  that  last  point.  Until  the  I  BMs  ,  the  DF,Cs , 
the  Burroughs,  the  UNIVACs,  and  others  of  the  commercial  computer 
industry  understand  that  their  respective  customer  bases  want  technical 
security  safeguard  features,  the  product  lines  will  not  have  them.  I 
would  suggest  that  the  government  has  a  major  leverage  on  this  issue. 

It  can  make  mandatory  the  inclusion  of  appropriate  technical  security 
features  in  computer  systems  that  it  procures. 

Consider  now  the  people  aspect  of  the  threat.  It  is  a  hard  one  to 
counter  because  one  cannot  legislate  trustworthiness,  and  even  the  most 
extensive  background  investigation  may  not  reveal  deeply  hidden  or 
latent  problems.  To  start  with,  we  must  do  all  that  is  possible  with 
technical  procedural  safeguards;  a  good  array  of  them  will  fend  off 
many  people  problems.  We  might  take  legal  steps.  One  possibility  for 
encouraging  private  sector  response  would  be  to  create  a  basis  in  law 
for  acting  against  the  record-keeping  installation  for  contributory 
negligence  should  state-of-the-art  security  safeguards  not  be  in  place. 

It  might  be  possible  to  extend  the  principle  of  the  attractive 
nuisance,  which  in  a  sense  is  really  what  happens  with  414-type 
activities.  A  computer  system  is  not  a  physically  attractive  nuisance, 
but  rather  an  intellectually  attractive  one  that  causes  imaginative  or 
criminally  minded  people  to  hack  at  computer  systems.  The  legal 
principle  of  an  attractive  nuisance  encourages  people  to  build  fences 
around  swimming  pools;  perhaps  the  same  notion  can  be  elaborated  or 
reinterpreted  to  encourage  operators  of  computer  systems  to  instill 
appropriate  safeguards. 

Incidentally,  for  the  most  part  we  are  not  talking  about  large 
dollar  investments.  Clearly,  if  an  organization  operates  its  computer 
center  behind  a  plateglass  window  and  encourages  casual  visitors  to 
wander  among  the  equipment,  there  might  be  a  significant  initial 
investment  to  physically  secure  the  facility  and  provide  it  with 
appropriate  physical  and  fire  protection.  Beyond  this  phase  though, 
many  organizations  find  that  important  security  safeguards  can  be 
installed  as  part  of  changes  that  are  made  for  other  reasons  and  the 
costs  of  such  security  changes  are.  frequently  unnot iceable .  Cost  will 
not  be  zero  but  neither  will  it  be  burdensome. 
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What  about  technical  safeguards  against  the  people  threat?  There 
are  attractive  options  and  I  will  illustrate  with  two  examples.  When  an 
individual  logs  on  to  a  computer  system,  he  is  normally  requested  to 
supply  personal  identif icat io:  and  a  password  which,  in  effect,  is  an 
authentication  of  his  identity.  Someone  attempting  to  penetrate  a 
computer  system  tries  to  guess  his  way  in  by  masquerading  as  a 
legitimate  user.  Most  systems  today  permit  an  indefinite  number  of  log¬ 
on  trials.  It  therefore  is  feasible  for  a  perpetrator  to  program  a 
small  computer  to  systematically  try  words,  combinations  of  letters  and 
characters,  or  other  possible  passwords  until  one  is  found  that  works. 
The  movie  UarCames  showed  such  a  penetration  very  realistically  and 
accurately. 

Clearly,  this  is  an  undesirable  and  unsafe  arrangement.  There  is 
no  reason  why  a  computer  should  not  disconnect  an  individual  after  some 
number  of  attempts,  such  as  three  or  five,  and  keep  him  disconnected 
until  his  authenticity  has  been  assured.  Three  weeks  ago  you  heard  from 
Mr.  McClary  of  the  Los  Alamos  National  Laboratory.  He  did  not  mention 
the  arrangement  at  Los  Alamos  with  regard  to  passwords,  but  since  I 
happened  to  have  discussed  computer  security  with  LANL  recently,  let  me 
indicate  how  it  is  handled. 

If  an  individual  --  and  it  might  be  a  respected,  established  senior 
researcher  of  national  repute  --  fails  to  log  on  after  a  number  of 
tries,  such  as  three  or  five,  his  account  is  completely  disabled  until 
In •  personally  appears  at  the  security  office  and  explains  why  he  was 
unable  to  type  his  password  successful ly  after  the  prescribed  number  of 
tries.  If  he  fails  to  log  on  successfully  in  a  second  series  of 
attempts,  his  supervisor  is  required  to  explain  in  writing  why  the 
individual  in  question  seems  not  able  to  type  correctly.  While  this 
process  might  seem  stringent  and  it  is  undoubtedly  annoying  to  in 
individual,  nonetheless  disabling  repeated  log-on  attempts  is  an 
appropriate  arrangement  to  fend  off  penetration  attempts  by  guessing  in. 
The  media  reported  the  Security  Pacific  National  Bank  as  having  diverted 
a  presumed  penetrator  by  offering  him  a  game  to  play  while  tracing  the 
origin  of  the  call;  such  an  approach  is  obviously  a  very  imaginative  and 
appropriate  deterrent. 
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A  second  example.  Since  every  computer  system  has  to  be  started  at 
some  time,  invariably  there  is  a  mechanism  for  accomplishing  what  is 
called  the  initial  software  load.  Often  this  takes  the  form  of  a 
button,  a  switch,  or  a  sequence  of  actions  by  the  console  operator. 
Imigine  a  scenario  in  which  an  operator  on  the  graveyard  shift  finds  the 
machine  inactive  and  decides  to  do  something  in  his  own  behalf  such  as 
illegally  copying  a  sensitive  file  of  information.  Having  done  so,  he 
simply  reloads  the  machine  as  though  it  had  stopped  for  some  reason; 
there  will  be  no  record  of  what  he  has  surreptitiously  done.  There  are 
obvious  technical  offsets  to  such  malfeasance  by  operators,  but  they  do 
not  exist  in  marketed  machines.  F.ven  the  procedure  of  two-person 
control  as  used  by  the  military  would  be  a  deterrent. 

We  need  a  menu  of  technical  features  that  machines  should  have  in 
order  to  help  offset  aspects  of  the  people-threat  problem.  Let  rre  offer 
you  a  recommendation: 

Task  the  Institute  of  Computer  Science  and  Technology  of  the 
National  Bureau  of  Standards  to  produce  such  a  list  of  options, 
and  consider  making  it  mandatory  in  government  acquisitions 
of  computer  systems. 

Now  to  the  question  of  where  the  wisdom  will  come  from  within 
government  to  deal  with  the  broad  dimensions  of  computer  security.  I 
remind  you  that  there  are  technical  aspects  of  it  related  to  not  only 
hardware  and  software  but  also  to  communication  security  and  radiation 
security  (TEMPEST);  but  in  addition  there  are  physical,  procedural, 
pei sonriel  ,  and  administrative  aspects.  Every  one  has  to  be  attended  to, 
especially  the  last  three.  A  computer  system  with  the  best  technical 
safeguards  can  be  readily  penetrable  if  it  is  operated  with  sloppy  and 
careless  procedural  and  administrative  arrangements  by  people  with 
uncertain  backgrounds.  W'here  will  the  government  develop  the  guidance 
that  it  needs  on  these  many  dimensions? 

Many  of  them  are  already  in  hand  because  they  are  understood  for 
other  reasons.  For  example,  the  Department  of  Defense  certainly  knows 
how  to  deal  with  physical  security  and  with  personnel  security;  its 
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experience  is  available  to  other  agencies  of  government  as  might  be 
needed.  The  TEMPEST  radiation  issue  is  understood  and  safeguards  for  it 
exist.  There  are  many  private  organizations  today  that  can  advise  on 
file  protection,  physical  protection,  personnel  control,  and  the  likes. 
But,  in  government  where  does  the  technical  software/hardware  guidance 
come  from?  And  where  does  the  contextual  administrative  and  management 
guidance  come  from? 

What  are  the  government's  principal  assets?  You  heard  from  them  on 
October  17;  the  Institute  of  Computer  Science  and  Technology  of  the 
National  Bureau  of  Standards,  the  Computer  Security  Center  of  the 
National  Security  Agency,  and  GSA.  Take  the  CSC  first. 

The  focus  of  concern  in  CSC  is  "trusted  systems"  and  especially 
"trusted  software."  Understand  the  word  "trust"  as  you  would 
intuitively  think  of  it;  namely,  one  can  have  confidence  that  the  system 
or  the  software  will  do  what  it  is  supposed  to  do,  and  one  can  have 
confidence  that  it  will  not  do  what  it  is  not  supposed  to  do.  Keep  in 
mind  that  CSC  is  a  Department  of  Defense  entity,  and  therefore  its  focus 
of  concern  is  on  defense  systems  and  especially  with  a  sophisticated 
technical  threat.  It  can  and  it  will  provide  expertise  to  address  the 
software/hardware  issue. 

I  suggest  to  you  that  the  problem  of  incorporating  security 
safeguards  in  software  --  and  of  knowing  that  they  are  really  there  and 
functioning  correctly  --  is  so  difficult  technically  and  the  country's 
expertise  is  so  miniminal  on  it,  that  we  can  staff  only  one  such  Center 
at  the  moment.  We  would  be  wise  to  place  all  our  eggs  in  this  one 
basket  with  regard  to  trusted  software  until  additional  expertise  can  be 
developed  over  the  next  five  to  ten  years.  While  CSC  will  also  he 
concerned  with  other  security  aspects  of  systems  that  contain  both 
computers  and  communications,  it  will  not  be  concerned  with  the  general 
administrative  and  procedural  environment  in  which  secuie  systems  must 
be  operated. 

The  ICST  of  the  NBS  is  also  involved  in  technical  work.  For 
example,  it  was  the  source  of  the  Digital  Encryption  Standard  some  live 
years  ago  and  it  made  a  very  significant  contribution  to  the  protection 
of  information  while  in  transit  through  a  communication  network.  It 
also  publishes  the  Federal  Information  Processing  Standards  which  deal 
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with  such  issues  as  the  use  of  DF.S,  the  management  of  keys  for  it,  risk 
assessment  and  risk  management.  But,  neither  the  ICST  nor  the  CSC  is 
providing  the  comprehensive  overview  that  can  stipulate: 

•  Here  is  how  one  runs  a  computer  system  and  does  it  securely. 

•  Here  are  the  procedural  and  administrative  safeguards  that  must 
be  in  place. 

« 

•  Here  are  the  specific  risks  that  people  represent. 

•  Here  are  the  countermeasures  that  can  be  taken  against  the 
nontechnical  threats. 

•  Here  are  the  management  mechanisms  to  oversee  security 
safeguards . 

•  Here  are  the  general  protective  precautions  that  can  be  taken. 
Etc. 

No  entity  in  government  has  addressed  the  ge.neral  policy  issue  of 
what  constitutes  a  comprehensive  top-to-bottom  prescription  for 
installing  security  controls,  nor  identified  the  many  dimensions  of  such 
a  policy  and  made  it  available  as  guidance.  It  is  being  done  piecemeal; 
every  agency  is  inventing  it  for  itself  or  not  doing  it.  There  is  some 
policy  guidance  in  the  Do!)  in  the  form  of  general  regulations  and 
directives.  There  are  interagency  committees  and  technical 
organizations  in  which  people  car.  trade  ideas  and  talk  with  one  another. 
In  the.  private  sector,  major  corporations  have  built  their  own  policy 
structures  and  implementing  details. 

The  government  truly  needs  a  comprehensive  "how  to  do  it"  document 
that  sets  forth  preferred  practices  and  procedures  for  operating  a 
secure  computer  system.  The  private  sector  could  well  use  the  same, 
thing.  The  ideas  and  the  information  exist  but  everything  is  scattered. 
The  information  is  not  collected  and  coordinated;  it  is  in  people's 
heads  or  embodied  m  daily  activities  and  not  otherwise  documented.  We 
--  the  country  --  need  to  organize  the  collective  wisdom  of  what  is 
known  and  what  is  being  done  and  make  it  widely  available. 

As  a  first  step,  I  would  note  that  the  General  Services 
Administration  has  had  a  major  role  in  government,  and  it  therefore 
seems  reasonable  to  recommend  that: 
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You  tusk  the  GSA  to  compile  such  a  comprehensive  handbook  of 
p:eferied  practices  and  procedures  for  running  a  computer  center 
secur  e 1 v . 

1 1  is  not  a  big  nr.dei  taking.  It  is  not  at.  endeavor  for  tens  ot  dozens 
of  people  working  for  many  years.  One  could  survey  the  federal  tgetic  ;<• 
.mu  a  select.'.!  set  of  1  .  rge  •.  'irpora:  ions ,  assemble  the  corrp'-s'te  wisdom 
c:  what  is  being  done  and  wn.it  .s  known ,  and  get  it  written  down .  i 

wo  ..Id  submit  that  it  is  a  chore  for  a  lew  people  fo;  .  -.ear  •;  :  . 
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We  are  seeing  the  emergence  of  systems  that  contain  vast  amounts  of 
information  about  people  but  not  for  record-keeping  purposes.  Let  me 
illustrate  in  terms  ol  electronic  mail,  which  the  L' . S .  Postal  Service  is 
promoting  as  E-COM.  The  purpose  of  such  a  service  is  to  transport 
information  ! rom  sender  to  addressee  and  to  the  extent  that  such 
information  is  personal  in  nature,  the  system  will  contain  much 
inf ortnat  ion  about  people  but  not  :..r  record-keep ing  purposes  .  In 
iddition  te  the  message  .ontent,  the  svste-.  will  ■.oriuiu  mat  ion 

’'el  it  ing  i.llressee  to  sender.  in  p:  n.ciple,  s’ldi  i  norm  it  :><i.  i'.:b  be 
•  sea  t  “st  lbl  ish  re  1  itionships  aim  ng  group.-.  of  :.-’pl  .  j, 

org  :’i  i.’.eu  group’s  ”r  h-s  o?  i  lieintji  e  bv:  .  1  \  ,  •  n  1. 
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I  do  not  know  tin-  mot  iv  it  ions  of  t  he  i  nves  t  i g  a  t  tv  groups;  I  have 
only  one  side  of  the  story.  IVrh  ;:•••  t  hey  were  linking  down  hackers,  o; 
maybe  it  had  to  do  with  possible  ‘  r  md  or  embe.v.  lenient  .  1  hive  no  wish 

to  make  this  incident  a  cause  c:  ••  1  ebre ,  but  it  is  very  useful  to 

underscore  the  ease  with  which  new  pri\  i.  v  is  ,.«-s  arise  c  » ,ter  end 
e  omitiun  i  cat  ions  technology  is  exploited  to  provide  a  wide  \ari"ly  of  new 
services  to  a  wider  and  wider  population  of  users . 

It  is  an  example  of  a  new  dimension  of  privacy  --  "  u.cess  w 1 1  bout 
act  ion";  computer  matching  of  files  exhibits  the  s  dinveis  tot: . 
Individuals  who  happen  to  keep  records  m:  a  computer  system  or  who  ire 
record  subjects  in  a  computer  file  have  their  privacy  invaded  wl.ethe;  or 
not  an  individual  has  done  something  wrong.  Hrivite  information  gets 
exposed  to  a  third  party  and  possibly  to  hostile  ryes .  In  effect,  all 

the  hundreds  of  office  workers  or  all  tin  1  ,u  subjects  in  a  computer 

tile  have,  a  priori,  been  assumed  to  be  guilty;  the  examination  of  mii! 
or  Use  matching  of  computer  records  is  to  demons t rat e  that  ' hoy  ire  not. 
Much  information  about  people  has  been  seen  but  no  it  ion  tu'-’en.  It 
sounds  like  a  back-end-to  process  of  justice. 

There  are  some  happy  aspects  of  the  of f  ice-automat  ion  seizure.  In 
such  a  system,  hundreds  of  people  will  keep  hundreds  of  messages  ••  >ch : 
there  will  be  tens -of -thousands  of  messages  iltogether.  • 1 1 1 1 y  two 
abort  ant  ones  were  found:  a  baby  sitter's  phone  number  and  a  ••  coking 
recipe.  The  odds  are  that  each  item,  admittedly  personal,  was 
transmitted  more  efficiently  by  elect  ron  i  -  trail  than  by  a  phono  call  or 
.1  walk  to  another  person's  desk;  the  electronic  mail  system  surely 
diverted  much  less  people  time  from  the  jot)  than  any  oilier  meins  >f 
interpersonal  c omnitin  i cat  ion  . 

Certainly  there  are  management  problems  in  assuring  :!u=.‘  p  .rat  n 
or  business  resources  are  not  used  for  personal  reasons,  but  !  .•late 
the  management  discipline  of  an  a  get  cy  that  'peia'.e,  en  t,  i  tight 
facility  --  two  items  out  of  many  tons-of-t  lious.mds  is  really  an 
infinitesimal  ratio;  and  I  acknowledge  the  integrity  of  the  hundreds  of 
people  who  are  using  it. 
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Lot  us  examine  the  possibility  that  an  agency  of  government  were  to 
use  a  commercial  electronic  mail  service  which  is  supplied  by  a  computer 
host  that  is  most  likely  not  in  the  District.3  Tiiere  is  no  question  hut 
that  electronic  mail  is  an  efficient  mechanism  to  facilitate  the  conduct 
of  business  in  any  large  organization;  that  is  not  the  issue.  What  are 
the  risks  to  such  an  arrangement?  I  can  offer  some  considered 
observations  --  which  importantly  would  not  be  unique  to  any  one  private 
sector  vendor. 

•  It  is  unlikely  that  the  phone  lines,  whether  dial-up  or 
dedicated,  between  Washington  and  "the  other  state"  would  be 
protected  by  an  encryption  process.  Electronic  eavesdropping 
and  wiretapping  would  therefore  be  possible  threats. 

•  It  is  unlikely  that  the  computer  system  would  have  special 
security  safeguards  because  commercial  equipment  is  often  used 
for  such  services.  One  would  assume  that  the  vendor  has 
provided  appropriate  physical,  admininstative,  and  personnel 

s  afeguards . 

•  Since  the  electronic  traffic  would  flow  across  state  lines,  it 
becomes  a  matter  for  federal  law;  but  there  is  no  law  under 
which  the  information  would  be  protected. 

•  In  principle,  the  body  of  computer-contained  electronic  mail 
would  he  subject  to  the  same  seizure  as  the  office  workers 
experienced;  the  private  vendor  would  have  no  legal  standing  to 
resist.  While  I  would  not  suggest  for  a  moment  that  some, 
agei.cy  of  government  would  set  out  to  seize  the  electronic  mail 
of  another ,  a  dissident  group  might  and  such  mail  could  get 
caught  up  in  an  investigative  sweep  aimed  at  someone  else. 


’After  the  presentation  of  this  testimony,  the  author's  attention 
was  called  to  a  New  York  Times  article  ("White  House  Link:  Computer  in 
Ohio";  David  Burnham,  July  13,  1983,  Late  City  final  Edition,  page  18, 
section  A,  column  41  which  describes  the  Executive  Data  Network  which 
provides  the  Executive  Branch  of  government  with  electronic  mail 
services  from  a  system  in  Columbus,  Ohio.  The.  article  also  reported  by 
name  the  officials  who  were,  to  use  it. 
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Why  all  my  emphasis  on  both  security  .md  privacy  of  electronic 
mail?  You  must  not  think  of  electronic  mail  is  solely  the  <*  1  «*<;  t  ron  i  c 
analog  of  the  envelope.  Perhaps  one-  fourth  of  niv  fu.-iness  interactions 
and  transact  tons  occur  electronically;  at  the  moment  there  are  about  pOO 
messages  in  my  mailbox  and  it  can  get  as  high  as  a  tho-.s-  ;sl .  Why?  It 
represents  the  written  record  of  mv  conduct  of  business  with  a  variety 
of  individuals  and  organizations;  it  is  n.ach  mere  efficient  than  writing 
letters,  making  pnones  calls,  and  then  writ  .a,;  memor.U.da-ot  -  record . 
Moreover,  1  can  organize  the  messages  by  folders  uni  vibtolders  so  that 
*.  he  system  becomes  a  comprehensive  automated  filing  and  in  form  at  ton 
retrieval  system.  Anyone  having  access  to  such  a  body  of  information 
might  as  well  have  the  key  to  the  office  ami  to  its  file  cabinets. 

Such  comprehensive  business  records  service  is  what  elect  rot.ic  mail 
is  really  all  about,  and  it  is  the  service  that  will  be  offered  by  the 
private  sector.  Can  you  imagine  the  situation  when  all  that  information 
--  botii  private  and  corporate  --  gets  into  electronic  mail  systems'  Can 
you  imagine  what  a  lucrative  target  it.  will  become  for  ill  sorts  of 
reasons?  The  computer  matching  we  have  seer,  so  far  will  be  nothing 
compared  to  what  might  arise  when  someone  thanks  about  comparing  files 
from  electronic  mail  systems. 

Here  are  some  of  the  issues  lor  information  in  such  systems: 

•  It  is  not  clear  who  awns  it.  Does  the  owner  of  the  comp  if  er 
system  per  se  own  it?  'does  he  have  the.  right  to  w  i  r  rh.  -  huu t 
through  the  information  in  his  system  as  he  so  fit?  Or  :  •> 
asked  to  by  a  third  party? 

•  It  is  not  clear  if,  or  by  what  law,  it  is  p rote-  >d  Vi.. it  v:  1  1 
be  the  situation  for  intrastate  offerings  of  servin'  vs. 
interstate  offerings?  And  in  t  i  i  long  run,  for  fjit-o  u.tt  in;,  i  • 
offerings? 

•  It  is  not  clear  what  the  search -and -se izuro  situation  is;  can 
the  private  vendor  be  given  legal  standing  to  resist?  What 
should  be  his  obligations  to  the  users  of  his  system  in  , use  of 
attempted  seizure? 
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•  It  is  not  even  clear  what  the  liability  of  t  he  purveyor  of  the 
service  might  be,  should  something  happen  to  one's  electronic 
mail  records.  What  is  his  respon  ihility  or  obligation  if  his 
system  accidentally  spills  information  c;  the  wrong  patty? 

What  is  his  responsibility  if  his  maintenance  people 
accidentally  see  such  mail  information  and  use  it  for  private 
gain,  for  personal  embarrassment,  for  political  idvantage,  or 
for  a  breach  of  national  welfare  and  security? 

•  What  are  the  vendor's  obligations  to  provide  comprehensive 
security  safeguards  tor  his  system?  Should  they  be  mandated  by 
law?  Should  it  be  caveat  etnptot?  For  private  sector  and 
government  use  alike?  Should  the  government  be  concerned  that 
so  much  corporate  information  might  be  subject  to  penetration 
by  unfriendly  agents? 

•  How  should  electronic  mail  he  treated  relative  to  telephone 
conversations?  Over  the  years,  .ertain  privacy  protections 
have  arisen  for  telephone  billing  records;  formal  legal 
processes  are  necessary  to  wiretap  or  to  obtain  records. 

Should  similar  protections  exist  for  electron)'  c  mail?  Within 
government,  as  well  as  in  private  sector,  as  well  as  in 
regulated  public  utility? 

Many  of  these  same  concerns  will  also  be  pertinent  to  other 
systems.  For  example,  there  is  voice  mail  winch  is  th<»  spoke;  analog  of 
electronic  mail  --  a  service  v  h  i  •  fi  is  art  .vely  being  p;  ..ted  1"-  pv  :  rate 
vendors  and  by  various  telephone  .  ompnnies.  Voice  mu  ,  1  1  all  the 
vulnerabilities  that  e  1  •  >'.  trim  l  c  mu  i  I  has  when  offered  p:  >1  u  vendors, 
moreover,  an  intruder  can  I’vays  claim  that  a  particular  :n<i  ividu.il  *s 
voice  can  be  recognized  although  his  typed  signature  cm  be  for  god  bv 
someone,  else  at  the  keyboard  F.ncrypt  ion  techniques  can  be  used  to 
protect  electronic  mail  but  ['resent  systems  do  not  offer  sender-to¬ 
reador  encryption  options.  ft  is  much  more  difficult  technically  to 
provide  speaker-to- 1 istener  protection  for  voice  mail. 
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There  is,  in  addition,  the  body  of  information  which  is  collected 
ihtmt  people  by  point-of-sale  systems,  by  debit  card  systems  on  the 
merchant's  premises,  by  automated  checkout  stands  ii.  grocery  stores,  and 
a  whole  hast  oi  others.  In  each  case  the  system  exists  for  some  purpose 
other  than  the  traditional  record-keeping  one;  each  happens  to  contain 
information  about  people  as  a  collateral  consequence  of  its  primary 
intent.  But  the  whole  subject  of  privacy  ahead,  of  what  the  future 
holds  for  privacy,  of  what  its  new  dimensions  are,  is  for  another  day;  I 
have  left  you  just  a  little  teaser  of  what  it  will  be  ail  about. 

Clearly,  electronic  mail  is  upon  us  now. 

Let  me  speak  to  the  issue  of  a  National  Commission.  Gongi  essman 
Wirth  and  Mr.  Parker  suggested  to  you  on  September  26  that  a  national 
commission  to  investigate  computer  crime  would  be  appropriate.  A  year 
or  so  ago  I  suggested  at  a  National  Computer  Conference  that  a  Nitiuna! 
Commission  would  be  an  appropriate  forum  in  which  to  examine  post i b i «• 
vulnerabilities  of  our  highly  computer ized  society .  The  fact  is  that 
there  is  a  whole  set  of  interrelated  issues  that  could  well  be 
col  lectivly  examined  by  a  congressional  ly  ".bartered  commissi  -us  Tie- 
common  element  to  all  of  them  is  information  handling  as  performed  by- 
computer  and  communication  systems.  Included  would  he  such  things  as 
computer-related  crime,  new  dimensions  of  privacy,  national 
vulnerability  is  a  result  of  computer  i  scat  ion  ,  rep  e  -em  at  ion  of 
information,  social  consequences  of  intensive  computer izat  ion.  persons! 
identification  in  a  highly  latomated  so-  • :  e  i  v ,  lih.  !o,  at  ion-,  powei  i\  . 
result  of  concentrations  of  inform.it  ion ,  ind  'hers. 

My  personal  experience  with  the  Privu.y  P:  <•:  ••  t  n  S  t  ■.  ■  1  y  lc.-n.iii  ,.s 
persuaded  me  that  a  congress  iona  1 1  y  chartered  i  s-,  i-.n  •, :  m 

appropriate  mechanism  to  address  broil  nat  i  >na!  :  .-.■.u«s  t  h  it  t  ran'- net. d 
the  jurisdictional  boundaries  of  federal  agonc n s  and  ilso  t  r  inseen.i 
public  and  private  sector  interests.  Such  a  commission  can  p-ovide  .n 
enormous  bargain  for  the  country  in  terms  of  work  accomplished.  For 
example,  the  PPSC  delivered  about  60  man-years  of  research  on  the 
subject  of  record-keeping  practices  in  the  private  sector  for  about  $2.‘> 
million.  That  equates  to  about  $40,000  per  person-year  of  effort  which 
is  about  one  third  of  what  it  would  cost  if  done  by  a  contractor.  In  my 
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view  there  is  a  right  and  a  wrong  way  to  structure  a  commission,  but 
that  is  a  subject  for  another  time  if  the  Congress  should  be  persuaded 
to  move  that  way. 

Congressman  Glickman,  I  have  given  you  a  once-over- 1 ight ly  on  some 
aspects  of  a  very  intricate  and  complex  issue.  I  would  be  glad  to  deal 
in  more  depth  with  such  aspects  as  you  may  wish,  either  in  writing  or 
personal  discussion  with  your  staff.  There  must  bo  a  national  concern 
for  providing  adequate  security  protections  in  our  public  and  private 
information  systems  and  for  attending  the  new  privacy  issues  that  arise. 
We  know  a  lot  about  doing  it,  but  it  needs  to  be  organized  into  a 
concerted  effort.  If  the  Congress  has  the  will  to  pursue  this  issue  and 
to  pay  sufficient  attention  to  it,  my  feeling  is  that  the  time  is  right 
for  action. 

To  begin  with,  let's  get  the  GSA  going;  let's  put  1CST  to  work; 
let's  address  electronic  mail  as  the  most  pressing  of  the  new  dimensions 
of  privacy.  Let ’ s  think  about  making  1984  "the  right  year"  to  launch  a 
Commission  to  comprehensively  examine  the  many  issues  of  which  we  have 
talked . 

| At  the  conclusion  of  the  testimony  and  questions,  the  chairman, 
Congressman  Glickman,  read  excerpts  from  a  Now  York  Times  article 
("Computer  Intrusion  Reported  in  IS  Companies  and  U.S.  Agencies";  Joseph 
B.  Troaster,  Sunday,  October  23,  I'lfCi,  page  21).  It  described  the 
penetration  of  the  Telemail  service  offered  by  GTE,  and  the  apparent 
access  to  the  electronic  m  i  i  1  oi  m  i  tor  .  S .  companies  such  as  Raytheon, 
Coca  Cola  I'.S.A.  ,  the  3M  Company ,  and  of  several  federal  agencies  such 
as  NASA  and  the  Oepa r t men t  of  Agriculture. | 


vote  added  in  proof: 

Subsequent  to  the  completion  of  this  document  ,  a  N--W  York  Times  article 
discussed  the  incident  referenced  anonymously  on  page  11  above  ("Can 
Privacy  and  Computer  Coexist?";  David  Burnham,  Saturday,  November  5, 
1983,  page  11).  It  identified  the  "federal  agency"  as  the  Army's 
DARCOM,  the  "in-house  investigative  staff"  as  the  Army's  Criminal 
Investigation  Division,  and  the  "outside  law  enforcement,  entity"  as  the 
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FBI.  It  also  mentions  that  the  incident  was  originally  described  in  an 
ARPANET  message  and  includes  quotes  from  it.  In  addition,  it 
paraphrases  three  responses  from  various  individuals. 


